Debian Long Term Support / LTS Security Information / 2016 / Security Information -- DLA-691-1 libxml2

Debian Security Advisory

DLA-691-1 libxml2 -- LTS security update

Date Reported:

31 Oct 2016

Affected Packages:

libxml2

Vulnerable:

Yes

Security database references:

In Mitre's CVE dictionary: CVE-2016-4658, CVE-2016-5131.

More information:

• CVE-2016-4658

  Namespace nodes must be copied to avoid use-after-free errors. But they don't necessarily have a physical representation in a document, so simply disallow them in XPointer ranges.

• CVE-2016-5131

  The old code would invoke the broken xmlXPtrRangeToFunction. range-to isn't really a function but a special kind of location step. Remove this function and always handle range-to in the XPath code. The old xmlXPtrRangeToFunction could also be abused to trigger a use-after-free error with the potential for remote code execution.

For Debian 7 Wheezy, these problems have been fixed in version 2.8.0+dfsg1-7+wheezy7.

We recommend that you upgrade your libxml2 packages.

Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS